topic Re: Redirect http and https traffic from ASA 5520 via squid in Network Security

Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Mon, 11 Mar 2019 19:25:47 GMT

Hi,

Right now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Can someone guide me the steps in getting all http and https traffic from ASA go via my squid? Any help greatly appreciated.

Thanks,

Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

deyster94 — Tue, 21 Dec 2010 14:30:16 GMT

The ASA can only redirect HTTP/HTTPs traffic to a websense or secure computing smartfilter (owned by McAfee). I had a client that used squid for a proxy and they used a GPO or script to force a browser to use it.

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Tue, 21 Dec 2010 14:54:58 GMT

I certainly believe that we can redirect traffic via squid. I have seen some posts which does this using wccp.

My current config is below:

access-list wccp-servers permit ip host 192.168.40.201 any
access-list wccp-traffic permit ip 192.168.40.0 255.255.255.0 any

wccp web-cache group-list wccp-servers redirect-list wccp-traffic
wccp interface Management web-cache redirect in
wccp interface inside web-cache redirect in

192.168.40.201 is my proxy server ip

But I think there is nothing happening in the ASA:

ASA(config)# sh wccp interfaces

WCCP interface configuration:
    GigabitEthernet0/1
        Output services: 0
        Input services: 1
        Mcast services: 0
        Exclude In:      FALSE

    Management0/0
        Output services: 0
        Input services: 1
        Mcast services: 0
        Exclude In:      FALSE

ASA(config)# sh wccp

Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Redirect access-list:                wccp-traffic
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   wccp-servers
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

Any help?

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

deyster94 — Tue, 21 Dec 2010 15:00:25 GMT

Fair enough. Not having implemented WCCP on the ASA, I can't be of help with this. However, a quick google search came up with this:

http://parvinderbhasin.blogspot.com/2009/06/squid-wccp-and-cisco-asa-setup.html

HTH

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Tue, 21 Dec 2010 15:04:23 GMT

Yep...I did the configuration using the same url. Thanks for your time.

Can some one see whether there is any issue with my wccp configuration?

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

Panos Kampanakis — Tue, 21 Dec 2010 23:25:40 GMT

I see two redirect interfaces

wccp web-cache group-list wccp-servers redirect-list wccp-traffic
wccp interface Management web-cache redirect in
wccp interface inside web-cache redirect in

Where are your host browsing? Behind what interface?

Your hosts need to be behind the same interface as the wccp engine, that is a requirement

I hope it helps.

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Wed, 22 Dec 2010 03:54:48 GMT

All hosts are in 192.168.40.0/24 network and my proxy server is also in 40 n/w.

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Wed, 22 Dec 2010 13:42:45 GMT

My scenario is like below:

Users (in 192.168.40.0/24 n/w) ------- Layer 3 switch(default g/w of all traffic is 192.168.30.1) ------------(192.168.30.8) ASA--------Internet

Management interface IP of ASA is 192.168.40.8 and inside interface IP is 192.168.30.8. Squid server is connected in Layer 3 switch with IP 192.168.40.201. All users are in 192.168.40.0/24 n/w.

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

Panos Kampanakis — Wed, 22 Dec 2010 14:46:11 GMT

Your hosts need to be behind the same interface as your squid. The squid needs to be able to send the pages to the hosts directly, not through the ASA.

To begin with I would try just the

wccp web-cache redirect-list wccp-traffic
wccp interface Management web-cache redirect in

Make sure the management interface has the command "no management-only".

Then see if the ASA redirects and if he sees the squid "sh wccp" commands.

I hope it helps.

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Thu, 23 Dec 2010 11:31:46 GMT

Hi,

My show wccp command output is below:

ASA(config)# sh wccp

Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

It seems nothing is happening. I did "no management-only command in my management interface.

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

ssantosh1978 — Wed, 05 Jan 2011 11:02:00 GMT

Hey Ribin,

Use route-map to route port 80 (internet) traffic to Squid Proxy Server. Also you need to configure IPtables on squid accordingly (in case of transparent Proxy) Use below configuration on your cisco ASA (i.e. on your gateway). Check whether route-map command is available on your ASA.

access-list 111 deny tcp any any neq www (create access list for port 80 traffic)

access-list 111 deny tcp host 192.168.100.1 any (192.168.100.1 - squid proxy)

access-list 111 permit tcp any any

route-map proxy-redirect permit 100

match ip address 111

set ip next-hop 192.168.100.1 (forward all port 80 traffic to squid- 192.168.100.1)

Cheers!!

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Wed, 05 Jan 2011 15:19:10 GMT

Hi Santhosh,

Yes, route-map command is available in my ASA. Can I do the similar configuration in my Layer 3 switch? My L3 switch has ipservices ios and it supports route-map commands, rather than doing this in ASA?

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

ssantosh1978 — Thu, 06 Jan 2011 10:23:26 GMT

Hi Ribin

Yes you can use route-map on your switch (but switch needs to be gateway for your network). I am using route map on my cisco 3750 series switch with Squid which is acting as gateway for my network... Let me know if you have any issues.

Cheers!!!

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Fri, 07 Jan 2011 07:33:53 GMT

I will give it a try today and let u know....

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Fri, 07 Jan 2011 08:45:38 GMT

Hey Santhosh,

Just a final review before I try this. My scenario is like below:

Users (in 192.168.40.0/24 n/w) ------- Layer 3 with vlan's 40 and 30(default g/w of all traffic is 192.168.30.1 which is ASA's inside IP) ------------(192.168.30.8) ASA--------Internet.

Users and proxy server (192.168.40.201) are in the same vlan 40. Where do I need to apply the policy map? I hope it is in vlan 40 in my layer 3 switch, right?

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Fri, 07 Jan 2011 14:22:30 GMT

It worked great ... Thank you Santhosh and others.....

- Ribin

Re: Redirect http and https traffic from ASA 5520 via squid

ribin.jones — Thu, 13 Jan 2011 12:50:44 GMT

Santhosh,

A clarification..What does the first line of below acl does for proxy redirect? I hope it denies all traffic except 80 and redirects 80 traffic to proxy ip?

access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 192.168.40.11 any

access-list 111 permit tcp any any

192.168.40.11 is my proxy ip.

Re: Redirect http and https traffic from ASA 5520 via squid

ssantosh1978 — Mon, 01 Aug 2011 10:39:09 GMT

Hey Ribin

Please follow below steps to redirect http traffic to squid..

http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html

Redirect http and https traffic from ASA 5520 via squid

psmidcnss — Wed, 11 Apr 2012 13:56:34 GMT

Yes but you apply the route map on your L3 switch, NOT on the ASA.

ASA has not the set ip next hop feature, route maps are only used in routing protocol (RIP, OSPF, etc) redistribution!